convex-zen 0.0.1

package/dist/component/providers/emailPassword.js

@@ -0,0 +1,316 @@
+import { argon2id, argon2Verify } from "hash-wasm";
+import { v } from "convex/values";
+import { internalAction, internalMutation } from "../_generated/server";
+import { internal } from "../_generated/api";
+async function hashPassword(password) {
+    return argon2id({
+        password,
+        salt: crypto.getRandomValues(new Uint8Array(16)),
+        parallelism: 1,
+        iterations: 2,
+        memorySize: 19456, // 19 MB in KB
+        hashLength: 32,
+        outputType: "encoded", // PHC string — includes salt + params
+    });
+}
+/** Simple email validation — no ReDoS-prone regex. */
+function isValidEmail(email) {
+    if (email.length > 255)
+        return false;
+    const atIndex = email.indexOf("@");
+    if (atIndex < 1)
+        return false;
+    const domain = email.slice(atIndex + 1);
+    if (domain.length < 3)
+        return false;
+    if (!domain.includes("."))
+        return false;
+    return true;
+}
+/**
+ * Sign up with email and password.
+ *
+ * Returns the verification code so the host app (via ConvexAuth client)
+ * can send the email. Functions cannot be passed as Convex args.
+ *
+ * Flow:
+ * 1. Validate email
+ * 2. Check IP rate limit
+ * 3. Check email not already registered
+ * 4. Hash password with Argon2id
+ * 5. Create user + account
+ * 6. Generate verification code
+ * 7. Return { status: "verification_required", verificationCode }
+ */
+export const signUp = internalAction({
+    args: {
+        email: v.string(),
+        password: v.string(),
+        name: v.optional(v.string()),
+        ipAddress: v.optional(v.string()),
+    },
+    handler: async (ctx, args) => {
+        const { email, password, name, ipAddress } = args;
+        // 1. Validate email
+        if (!isValidEmail(email)) {
+            throw new Error("Invalid email address");
+        }
+        // 2. Check IP rate limit
+        if (ipAddress) {
+            const key = `signup:ip:${ipAddress}`;
+            const rateCheck = await ctx.runQuery(internal.lib.rateLimit.check, {
+                key,
+            });
+            if (rateCheck.limited) {
+                throw new Error("Too many requests. Please try again later.");
+            }
+        }
+        // 3. Check email not already registered
+        const existingUser = await ctx.runQuery(internal.core.users.getByEmail, {
+            email: email.toLowerCase(),
+        });
+        if (existingUser) {
+            // Increment rate limit to avoid timing-based email enumeration
+            if (ipAddress) {
+                await ctx.runMutation(internal.lib.rateLimit.increment, {
+                    key: `signup:ip:${ipAddress}`,
+                });
+            }
+            throw new Error("Email already registered");
+        }
+        // 4. Hash password with Argon2id
+        const passwordHash = await hashPassword(password);
+        // 5. Create user + account
+        const userId = await ctx.runMutation(internal.core.users.create, {
+            email: email.toLowerCase(),
+            emailVerified: false,
+            name,
+        });
+        await ctx.runMutation(internal.core.users.createAccount, {
+            userId,
+            providerId: "credential",
+            accountId: email.toLowerCase(),
+            passwordHash,
+        });
+        // 6. Generate verification code (returned to caller for email sending)
+        const { code, expiresAt } = await ctx.runMutation(internal.core.verifications.create, {
+            identifier: email.toLowerCase(),
+            type: "email-verification",
+        });
+        // Schedule cleanup at expiry
+        await ctx.scheduler.runAt(expiresAt, internal.core.verifications.cleanup, {});
+        return { status: "verification_required", verificationCode: code };
+    },
+});
+/**
+ * Sign in with email and password.
+ *
+ * Flow:
+ * 1. Check rate limits (IP + email)
+ * 2. Look up account by email
+ * 3. Verify Argon2id hash
+ * 4. Check banned status
+ * 5. Create session
+ * 6. Return { sessionToken, userId }
+ */
+export const signIn = internalAction({
+    args: {
+        email: v.string(),
+        password: v.string(),
+        ipAddress: v.optional(v.string()),
+        userAgent: v.optional(v.string()),
+        requireEmailVerified: v.optional(v.boolean()),
+    },
+    handler: async (ctx, args) => {
+        const { email, password, ipAddress, userAgent, requireEmailVerified } = args;
+        const normalizedEmail = email.toLowerCase();
+        // 1. Check rate limits
+        const rateLimitKeys = [];
+        if (ipAddress)
+            rateLimitKeys.push(`signin:ip:${ipAddress}`);
+        rateLimitKeys.push(`signin:email:${normalizedEmail}`);
+        for (const key of rateLimitKeys) {
+            const rateCheck = await ctx.runQuery(internal.lib.rateLimit.check, {
+                key,
+            });
+            if (rateCheck.limited) {
+                throw new Error("Too many failed attempts. Please try again later.");
+            }
+        }
+        // Helper to record failure
+        const recordFailure = async () => {
+            for (const key of rateLimitKeys) {
+                await ctx.runMutation(internal.lib.rateLimit.increment, { key });
+            }
+        };
+        // 2. Look up account by email
+        const account = await ctx.runQuery(internal.core.users.getAccount, {
+            providerId: "credential",
+            accountId: normalizedEmail,
+        });
+        if (!account || !account.passwordHash) {
+            await recordFailure();
+            throw new Error("Invalid email or password");
+        }
+        // 3. Verify Argon2id hash
+        const isValid = await argon2Verify({
+            password,
+            hash: account.passwordHash,
+        });
+        if (!isValid) {
+            await recordFailure();
+            throw new Error("Invalid email or password");
+        }
+        // 4. Check email verified if required
+        const user = await ctx.runQuery(internal.core.users.getById, {
+            userId: account.userId,
+        });
+        if (requireEmailVerified && !user?.emailVerified) {
+            throw new Error("Email address not verified");
+        }
+        // 4b. Check banned status
+        if (user?.banned) {
+            const now = Date.now();
+            if (user.banExpires === undefined || user.banExpires > now) {
+                throw new Error(`Account banned${user.banReason ? ": " + user.banReason : ""}`);
+            }
+        }
+        // 5. Reset rate limits on success
+        for (const key of rateLimitKeys) {
+            await ctx.runMutation(internal.lib.rateLimit.reset, { key });
+        }
+        // 6. Create session
+        const sessionToken = await ctx.runMutation(internal.core.sessions.create, {
+            userId: account.userId,
+            ipAddress,
+            userAgent,
+        });
+        return { sessionToken, userId: account.userId };
+    },
+});
+/**
+ * Verify email address with a verification code.
+ */
+export const verifyEmail = internalAction({
+    args: {
+        email: v.string(),
+        code: v.string(),
+    },
+    handler: async (ctx, { email, code }) => {
+        const normalizedEmail = email.toLowerCase();
+        const result = await ctx.runMutation(internal.core.verifications.verify, {
+            identifier: normalizedEmail,
+            type: "email-verification",
+            code,
+        });
+        if (result.status !== "valid") {
+            return result;
+        }
+        // Mark user as verified
+        const user = await ctx.runQuery(internal.core.users.getByEmail, {
+            email: normalizedEmail,
+        });
+        if (user) {
+            await ctx.runMutation(internal.core.users.update, {
+                userId: user._id,
+                emailVerified: true,
+            });
+        }
+        return { status: "valid" };
+    },
+});
+/**
+ * Request a password reset code.
+ * Returns the reset code so the host app can send the email.
+ * Always returns { status: "sent" } to prevent email enumeration.
+ * Returns resetCode only when a real user was found.
+ */
+export const requestPasswordReset = internalAction({
+    args: {
+        email: v.string(),
+        ipAddress: v.optional(v.string()),
+    },
+    handler: async (ctx, args) => {
+        const { email, ipAddress } = args;
+        const normalizedEmail = email.toLowerCase();
+        // Rate limit
+        if (ipAddress) {
+            const key = `reset:ip:${ipAddress}`;
+            const rateCheck = await ctx.runQuery(internal.lib.rateLimit.check, {
+                key,
+            });
+            if (rateCheck.limited) {
+                // Don't reveal if email exists; return success silently
+                return { status: "sent", resetCode: null };
+            }
+            await ctx.runMutation(internal.lib.rateLimit.increment, { key });
+        }
+        const user = await ctx.runQuery(internal.core.users.getByEmail, {
+            email: normalizedEmail,
+        });
+        if (!user) {
+            // Always return success to prevent email enumeration
+            return { status: "sent", resetCode: null };
+        }
+        const { code, expiresAt } = await ctx.runMutation(internal.core.verifications.create, {
+            identifier: normalizedEmail,
+            type: "password-reset",
+        });
+        await ctx.scheduler.runAt(expiresAt, internal.core.verifications.cleanup, {});
+        return { status: "sent", resetCode: code };
+    },
+});
+/**
+ * Reset password using a verification code.
+ */
+export const resetPassword = internalAction({
+    args: {
+        email: v.string(),
+        code: v.string(),
+        newPassword: v.string(),
+    },
+    handler: async (ctx, { email, code, newPassword }) => {
+        const normalizedEmail = email.toLowerCase();
+        const result = await ctx.runMutation(internal.core.verifications.verify, {
+            identifier: normalizedEmail,
+            type: "password-reset",
+            code,
+        });
+        if (result.status !== "valid") {
+            return result;
+        }
+        // Hash new password
+        const passwordHash = await hashPassword(newPassword);
+        // Update account password hash
+        const account = await ctx.runQuery(internal.core.users.getAccount, {
+            providerId: "credential",
+            accountId: normalizedEmail,
+        });
+        if (!account) {
+            throw new Error("Account not found");
+        }
+        await ctx.runMutation(internal.providers.emailPassword.updatePasswordHash, {
+            accountId: account._id,
+            passwordHash,
+        });
+        // Invalidate all sessions (force re-login after password reset)
+        await ctx.runMutation(internal.core.sessions.invalidateAll, {
+            userId: account.userId,
+        });
+        return { status: "valid" };
+    },
+});
+/** Internal mutation to update password hash on an account. */
+export const updatePasswordHash = internalMutation({
+    args: {
+        accountId: v.id("accounts"),
+        passwordHash: v.string(),
+    },
+    handler: async (ctx, { accountId, passwordHash }) => {
+        await ctx.db.patch(accountId, {
+            passwordHash,
+            updatedAt: Date.now(),
+        });
+    },
+});
+//# sourceMappingURL=emailPassword.js.map

package/dist/component/providers/emailPassword.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailPassword.js","sourceRoot":"","sources":["../../../src/component/providers/emailPassword.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAClC,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAE7C,KAAK,UAAU,YAAY,CAAC,QAAgB;IAC1C,OAAO,QAAQ,CAAC;QACd,QAAQ;QACR,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAChD,WAAW,EAAE,CAAC;QACd,UAAU,EAAE,CAAC;QACb,UAAU,EAAE,KAAK,EAAE,cAAc;QACjC,UAAU,EAAE,EAAE;QACd,UAAU,EAAE,SAAS,EAAE,sCAAsC;KAC9D,CAAC,CAAC;AACL,CAAC;AAED,sDAAsD;AACtD,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,OAAO,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;IACxC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,cAAc,CAAC;IACnC,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC5B,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAClC;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;QAElD,oBAAoB;QACpB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,yBAAyB;QACzB,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,GAAG,GAAG,aAAa,SAAS,EAAE,CAAC;YACrC,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE;gBACjE,GAAG;aACJ,CAAC,CAAC;YACH,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAChE,CAAC;QACH,CAAC;QAED,wCAAwC;QACxC,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;YACtE,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE;SAC3B,CAAC,CAAC;QACH,IAAI,YAAY,EAAE,CAAC;YACjB,+DAA+D;YAC/D,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE;oBACtD,GAAG,EAAE,aAAa,SAAS,EAAE;iBAC9B,CAAC,CAAC;YACL,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QAED,iCAAiC;QACjC,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;QAElD,2BAA2B;QAC3B,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;YAC/D,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE;YAC1B,aAAa,EAAE,KAAK;YACpB,IAAI;SACL,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE;YACvD,MAAM;YACN,UAAU,EAAE,YAAY;YACxB,SAAS,EAAE,KAAK,CAAC,WAAW,EAAE;YAC9B,YAAY;SACb,CAAC,CAAC;QAEH,uEAAuE;QACvE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,GAAG,CAAC,WAAW,CAC/C,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAClC;YACE,UAAU,EAAE,KAAK,CAAC,WAAW,EAAE;YAC/B,IAAI,EAAE,oBAAoB;SAC3B,CACF,CAAC;QAEF,6BAA6B;QAC7B,MAAM,GAAG,CAAC,SAAS,CAAC,KAAK,CACvB,SAAS,EACT,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,EACnC,EAAE,CACH,CAAC;QAEF,OAAO,EAAE,MAAM,EAAE,uBAAgC,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC;IAC9E,CAAC;CACF,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,cAAc,CAAC;IACnC,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACjC,oBAAoB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;KAC9C;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,oBAAoB,EAAE,GACnE,IAAI,CAAC;QACP,MAAM,eAAe,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAE5C,uBAAuB;QACvB,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,IAAI,SAAS;YAAE,aAAa,CAAC,IAAI,CAAC,aAAa,SAAS,EAAE,CAAC,CAAC;QAC5D,aAAa,CAAC,IAAI,CAAC,gBAAgB,eAAe,EAAE,CAAC,CAAC;QAEtD,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE;gBACjE,GAAG;aACJ,CAAC,CAAC;YACH,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACvE,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,MAAM,aAAa,GAAG,KAAK,IAAI,EAAE;YAC/B,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;gBAChC,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;YACnE,CAAC;QACH,CAAC,CAAC;QAEF,8BAA8B;QAC9B,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;YACjE,UAAU,EAAE,YAAY;YACxB,SAAS,EAAE,eAAe;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;YACtC,MAAM,aAAa,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,0BAA0B;QAC1B,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC;YACjC,QAAQ;YACR,IAAI,EAAE,OAAO,CAAC,YAAY;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,aAAa,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,sCAAsC;QACtC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE;YAC3D,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QAEH,IAAI,oBAAoB,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,0BAA0B;QAC1B,IAAI,IAAI,EAAE,MAAM,EAAE,CAAC;YACjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,IAAI,CAAC,UAAU,GAAG,GAAG,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CACb,iBAAiB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAC/D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,oBAAoB;QACpB,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE;YACxE,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,SAAS;YACT,SAAS;SACV,CAAC,CAAC;QAEH,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;IAClD,CAAC;CACF,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,cAAc,CAAC;IACxC,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACjB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE;QACtC,MAAM,eAAe,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAE5C,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;YACvE,UAAU,EAAE,eAAe;YAC3B,IAAI,EAAE,oBAAoB;YAC1B,IAAI;SACL,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAC9B,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;YAC9D,KAAK,EAAE,eAAe;SACvB,CAAC,CAAC;QACH,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;gBAChD,MAAM,EAAE,IAAI,CAAC,GAAG;gBAChB,aAAa,EAAE,IAAI;aACpB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,OAAgB,EAAE,CAAC;IACtC,CAAC;CACF,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,cAAc,CAAC;IACjD,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAClC;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;QAClC,MAAM,eAAe,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAE5C,aAAa;QACb,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,GAAG,GAAG,YAAY,SAAS,EAAE,CAAC;YACpC,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE;gBACjE,GAAG;aACJ,CAAC,CAAC;YACH,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;gBACtB,wDAAwD;gBACxD,OAAO,EAAE,MAAM,EAAE,MAAe,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;YACtD,CAAC;YACD,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;YAC9D,KAAK,EAAE,eAAe;SACvB,CAAC,CAAC;QAEH,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,qDAAqD;YACrD,OAAO,EAAE,MAAM,EAAE,MAAe,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QACtD,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,GAAG,CAAC,WAAW,CAC/C,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAClC;YACE,UAAU,EAAE,eAAe;YAC3B,IAAI,EAAE,gBAAgB;SACvB,CACF,CAAC;QAEF,MAAM,GAAG,CAAC,SAAS,CAAC,KAAK,CACvB,SAAS,EACT,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,EACnC,EAAE,CACH,CAAC;QAEF,OAAO,EAAE,MAAM,EAAE,MAAe,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACtD,CAAC;CACF,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,cAAc,CAAC;IAC1C,IAAI,EAAE;QACJ,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;KACxB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE;QACnD,MAAM,eAAe,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAE5C,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;YACvE,UAAU,EAAE,eAAe;YAC3B,IAAI,EAAE,gBAAgB;YACtB,IAAI;SACL,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAC9B,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,oBAAoB;QACpB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAC;QAErD,+BAA+B;QAC/B,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;YACjE,UAAU,EAAE,YAAY;YACxB,SAAS,EAAE,eAAe;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QAED,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,aAAa,CAAC,kBAAkB,EAAE;YACzE,SAAS,EAAE,OAAO,CAAC,GAAG;YACtB,YAAY;SACb,CAAC,CAAC;QAEH,gEAAgE;QAChE,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE;YAC1D,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QAEH,OAAO,EAAE,MAAM,EAAE,OAAgB,EAAE,CAAC;IACtC,CAAC;CACF,CAAC,CAAC;AAEH,+DAA+D;AAC/D,MAAM,CAAC,MAAM,kBAAkB,GAAG,gBAAgB,CAAC;IACjD,IAAI,EAAE;QACJ,SAAS,EAAE,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC;QAC3B,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;KACzB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,EAAE,EAAE;QAClD,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,SAAS,EAAE;YAC5B,YAAY;YACZ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC"}

package/dist/component/providers/oauth.d.ts

@@ -0,0 +1,33 @@
+import { type GenericId } from "convex/values";
+/** Store OAuth state and code verifier for PKCE flow. */
+export declare const storeOAuthState: import("convex/server").RegisteredMutation<"internal", {
+    redirectUrl?: string;
+    expiresAt: number;
+    stateHash: string;
+    codeVerifier: string;
+    provider: string;
+}, Promise<void>>;
+/** Retrieve and delete an OAuth state record by state hash (single-use). */
+export declare const consumeOAuthState: import("convex/server").RegisteredMutation<"internal", {
+    stateHash: string;
+}, Promise<{
+    _id: GenericId<"oauthStates">;
+    _creationTime: number;
+    redirectUrl?: string;
+    createdAt: number;
+    expiresAt: number;
+    stateHash: string;
+    codeVerifier: string;
+    provider: string;
+} | null>>;
+/**
+ * Initiate an OAuth authorization flow.
+ * Returns the authorization URL with PKCE + state parameters.
+ */
+export declare const getAuthorizationUrl: any;
+/**
+ * Handle the OAuth callback.
+ * Validates state, exchanges code for tokens, upserts user, creates session.
+ */
+export declare const handleCallback: any;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/component/providers/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../../src/component/providers/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAK,KAAK,SAAS,EAAE,MAAM,eAAe,CAAC;AA6ClD,yDAAyD;AACzD,eAAO,MAAM,eAAe;;;;;;iBAmB1B,CAAC;AAEH,4EAA4E;AAC5E,eAAO,MAAM,iBAAiB;;;;;;;;;;;UAmB5B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB,KAyC9B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,cAAc,KA6KzB,CAAC"}

package/dist/component/providers/oauth.js

@@ -0,0 +1,256 @@
+import { v } from "convex/values";
+import { internalAction, internalMutation } from "../_generated/server";
+import { internal } from "../_generated/api";
+import { generateState, generateCodeVerifier, generateCodeChallenge, hashToken, } from "../lib/crypto";
+import { oauthProviderConfigValidator } from "../lib/validators";
+/** OAuth state TTL: 10 minutes. */
+const STATE_TTL_MS = 10 * 60 * 1000;
+function assertValidProviderConfig(provider) {
+    const required = [
+        provider.id,
+        provider.clientId,
+        provider.clientSecret,
+        provider.authorizationUrl,
+        provider.tokenUrl,
+        provider.userInfoUrl,
+    ];
+    if (required.some((value) => value.trim().length === 0)) {
+        throw new Error("Invalid OAuth provider configuration");
+    }
+    if (provider.scopes.length === 0) {
+        throw new Error("OAuth provider scopes must not be empty");
+    }
+    const urls = [provider.authorizationUrl, provider.tokenUrl, provider.userInfoUrl];
+    for (const rawUrl of urls) {
+        let parsed;
+        try {
+            parsed = new URL(rawUrl);
+        }
+        catch {
+            throw new Error("Invalid OAuth provider URL");
+        }
+        if (parsed.protocol !== "https:") {
+            throw new Error("OAuth provider URLs must use HTTPS");
+        }
+    }
+}
+/** Store OAuth state and code verifier for PKCE flow. */
+export const storeOAuthState = internalMutation({
+    args: {
+        stateHash: v.string(),
+        codeVerifier: v.string(),
+        provider: v.string(),
+        redirectUrl: v.optional(v.string()),
+        expiresAt: v.number(),
+    },
+    handler: async (ctx, args) => {
+        const now = Date.now();
+        await ctx.db.insert("oauthStates", {
+            stateHash: args.stateHash,
+            codeVerifier: args.codeVerifier,
+            provider: args.provider,
+            redirectUrl: args.redirectUrl,
+            expiresAt: args.expiresAt,
+            createdAt: now,
+        });
+    },
+});
+/** Retrieve and delete an OAuth state record by state hash (single-use). */
+export const consumeOAuthState = internalMutation({
+    args: { stateHash: v.string() },
+    handler: async (ctx, { stateHash }) => {
+        const record = await ctx.db
+            .query("oauthStates")
+            .withIndex("by_stateHash", (q) => q.eq("stateHash", stateHash))
+            .unique();
+        if (!record)
+            return null;
+        // Delete immediately (single-use)
+        await ctx.db.delete(record._id);
+        if (record.expiresAt < Date.now()) {
+            return null; // Expired
+        }
+        return record;
+    },
+});
+/**
+ * Initiate an OAuth authorization flow.
+ * Returns the authorization URL with PKCE + state parameters.
+ */
+export const getAuthorizationUrl = internalAction({
+    args: {
+        provider: oauthProviderConfigValidator,
+        redirectUrl: v.optional(v.string()),
+    },
+    handler: async (ctx, args) => {
+        const provider = args.provider;
+        assertValidProviderConfig(provider);
+        // Generate state (32 bytes = 256 bit)
+        const state = generateState();
+        const stateHash = await hashToken(state);
+        // Generate PKCE code verifier and challenge
+        const codeVerifier = generateCodeVerifier();
+        const codeChallenge = await generateCodeChallenge(codeVerifier);
+        const expiresAt = Date.now() + STATE_TTL_MS;
+        await ctx.runMutation(internal.providers.oauth.storeOAuthState, {
+            stateHash,
+            codeVerifier,
+            provider: provider.id,
+            redirectUrl: args.redirectUrl,
+            expiresAt,
+        });
+        // Build authorization URL
+        const url = new URL(provider.authorizationUrl);
+        url.searchParams.set("client_id", provider.clientId);
+        url.searchParams.set("response_type", "code");
+        url.searchParams.set("scope", provider.scopes.join(" "));
+        url.searchParams.set("state", state);
+        url.searchParams.set("code_challenge", codeChallenge);
+        url.searchParams.set("code_challenge_method", "S256");
+        if (args.redirectUrl) {
+            url.searchParams.set("redirect_uri", args.redirectUrl);
+        }
+        return { authorizationUrl: url.toString() };
+    },
+});
+/**
+ * Handle the OAuth callback.
+ * Validates state, exchanges code for tokens, upserts user, creates session.
+ */
+export const handleCallback = internalAction({
+    args: {
+        provider: oauthProviderConfigValidator,
+        code: v.string(),
+        state: v.string(),
+        redirectUrl: v.optional(v.string()),
+        ipAddress: v.optional(v.string()),
+        userAgent: v.optional(v.string()),
+    },
+    handler: async (ctx, args) => {
+        const provider = args.provider;
+        assertValidProviderConfig(provider);
+        // Use global fetch; tests can mock it via vi.spyOn(globalThis, 'fetch')
+        const fetchFn = fetch;
+        // 1. Validate state against stored stateHash
+        const stateHash = await hashToken(args.state);
+        const stateRecord = await ctx.runMutation(internal.providers.oauth.consumeOAuthState, { stateHash });
+        if (!stateRecord) {
+            throw new Error("Invalid or expired OAuth state");
+        }
+        if (stateRecord.provider !== provider.id) {
+            throw new Error("Provider mismatch in OAuth state");
+        }
+        // 2. Exchange code + code_verifier for tokens
+        const tokenParams = new URLSearchParams({
+            grant_type: "authorization_code",
+            client_id: provider.clientId,
+            client_secret: provider.clientSecret,
+            code: args.code,
+            code_verifier: stateRecord.codeVerifier,
+        });
+        if (args.redirectUrl ?? stateRecord.redirectUrl) {
+            tokenParams.set("redirect_uri", (args.redirectUrl ?? stateRecord.redirectUrl));
+        }
+        const tokenRes = await fetchFn(provider.tokenUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: tokenParams.toString(),
+        });
+        if (!tokenRes.ok) {
+            throw new Error(`Token exchange failed: ${tokenRes.status}`);
+        }
+        const tokens = await tokenRes.json();
+        // 3. Fetch user profile from provider
+        const userRes = await fetchFn(provider.userInfoUrl, {
+            headers: { Authorization: `Bearer ${tokens.access_token}` },
+        });
+        if (!userRes.ok) {
+            throw new Error(`User info fetch failed: ${userRes.status}`);
+        }
+        const profile = await userRes.json();
+        const providerId = provider.id;
+        const accountId = (profile.id ?? profile.sub)?.toString();
+        if (!accountId) {
+            throw new Error("Could not determine provider user ID");
+        }
+        const email = profile.email?.toLowerCase();
+        const name = profile.name ?? profile.login;
+        const image = profile.picture ?? profile.avatar_url;
+        const accessTokenExpiresAt = tokens.expires_in
+            ? Date.now() + tokens.expires_in * 1000
+            : undefined;
+        // 4. Find existing account or create user + account (account linking by email)
+        const existingAccount = await ctx.runQuery(internal.core.users.getAccount, {
+            providerId,
+            accountId,
+        });
+        let userId;
+        if (existingAccount) {
+            // Update tokens on existing account
+            await ctx.runMutation(internal.core.users.updateAccount, {
+                accountId: existingAccount._id,
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token,
+                accessTokenExpiresAt,
+            });
+            userId = existingAccount.userId;
+        }
+        else {
+            // Try to link by email
+            const existingUser = email
+                ? await ctx.runQuery(internal.core.users.getByEmail, { email })
+                : null;
+            if (!existingUser && email) {
+                // Create new user
+                userId = await ctx.runMutation(internal.core.users.create, {
+                    email,
+                    emailVerified: true, // OAuth providers verify email
+                    name,
+                    image,
+                });
+            }
+            else if (existingUser) {
+                userId = existingUser._id;
+                // Update profile info from OAuth
+                await ctx.runMutation(internal.core.users.update, {
+                    userId: existingUser._id,
+                    emailVerified: true,
+                    name: name ?? existingUser.name,
+                    image: image ?? existingUser.image,
+                });
+            }
+            else {
+                throw new Error("OAuth provider did not return an email address");
+            }
+            // Create account entry
+            await ctx.runMutation(internal.core.users.createAccount, {
+                userId,
+                providerId,
+                accountId,
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token,
+                accessTokenExpiresAt,
+            });
+        }
+        // 5. Check banned status
+        const user = await ctx.runQuery(internal.core.users.getById, { userId });
+        if (user?.banned) {
+            const now = Date.now();
+            if (user.banExpires === undefined || user.banExpires > now) {
+                throw new Error(`Account banned${user.banReason ? ": " + user.banReason : ""}`);
+            }
+        }
+        // 6. Create session
+        const sessionToken = await ctx.runMutation(internal.core.sessions.create, {
+            userId,
+            ipAddress: args.ipAddress,
+            userAgent: args.userAgent,
+        });
+        return {
+            sessionToken,
+            userId,
+            redirectUrl: stateRecord.redirectUrl,
+        };
+    },
+});
+//# sourceMappingURL=oauth.js.map

package/dist/component/providers/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../../src/component/providers/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAkB,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAiB,MAAM,sBAAsB,CAAC;AACvF,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,qBAAqB,EACrB,SAAS,GACV,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,4BAA4B,EAAE,MAAM,mBAAmB,CAAC;AAGjE,mCAAmC;AACnC,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEpC,SAAS,yBAAyB,CAAC,QAA6B;IAC9D,MAAM,QAAQ,GAAG;QACf,QAAQ,CAAC,EAAE;QACX,QAAQ,CAAC,QAAQ;QACjB,QAAQ,CAAC,YAAY;QACrB,QAAQ,CAAC,gBAAgB;QACzB,QAAQ,CAAC,QAAQ;QACjB,QAAQ,CAAC,WAAW;KACrB,CAAC;IACF,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClF,KAAK,MAAM,MAAM,IAAI,IAAI,EAAE,CAAC;QAC1B,IAAI,MAAW,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;AACH,CAAC;AAED,yDAAyD;AACzD,MAAM,CAAC,MAAM,eAAe,GAAG,gBAAgB,CAAC;IAC9C,IAAI,EAAE;QACJ,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;QACrB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACnC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,aAAa,EAAE;YACjC,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,GAAG;SACf,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC;AAEH,4EAA4E;AAC5E,MAAM,CAAC,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;IAChD,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IAC/B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE;QACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,EAAE;aACxB,KAAK,CAAC,aAAa,CAAC;aACpB,SAAS,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;aAC9D,MAAM,EAAE,CAAC;QAEZ,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,kCAAkC;QAClC,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEhC,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,CAAC,UAAU;QACzB,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,cAAc,CAAC;IAChD,IAAI,EAAE;QACJ,QAAQ,EAAE,4BAA4B;QACtC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACpC;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAA+B,CAAC;QACtD,yBAAyB,CAAC,QAAQ,CAAC,CAAC;QAEpC,sCAAsC;QACtC,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;QAEzC,4CAA4C;QAC5C,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;QAC5C,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;QAEhE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,CAAC;QAE5C,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,eAAe,EAAE;YAC9D,SAAS;YACT,YAAY;YACZ,QAAQ,EAAE,QAAQ,CAAC,EAAE;YACrB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,SAAS;SACV,CAAC,CAAC;QAEH,0BAA0B;QAC1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QAC/C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACzD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACrC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;QACtD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,EAAE,gBAAgB,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,CAAC;IAC9C,CAAC;CACF,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,cAAc,CAAC;IAC3C,IAAI,EAAE;QACJ,QAAQ,EAAE,4BAA4B;QACtC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACnC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAClC;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAA+B,CAAC;QACtD,yBAAyB,CAAC,QAAQ,CAAC,CAAC;QACpC,wEAAwE;QACxE,MAAM,OAAO,GAAG,KAAK,CAAC;QAEtB,6CAA6C;QAC7C,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,WAAW,CACvC,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,iBAAiB,EAC1C,EAAE,SAAS,EAAE,CACd,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QAED,IAAI,WAAW,CAAC,QAAQ,KAAK,QAAQ,CAAC,EAAE,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QAED,8CAA8C;QAC9C,MAAM,WAAW,GAAG,IAAI,eAAe,CAAC;YACtC,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,QAAQ,CAAC,QAAQ;YAC5B,aAAa,EAAE,QAAQ,CAAC,YAAY;YACpC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,aAAa,EAAE,WAAW,CAAC,YAAY;SACxC,CAAC,CAAC;QAEH,IAAI,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,WAAW,EAAE,CAAC;YAChD,WAAW,CAAC,GAAG,CACb,cAAc,EACd,CAAC,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,WAAW,CAAE,CAC/C,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,QAAQ,EAAE;YAChD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,WAAW,CAAC,QAAQ,EAAE;SAC7B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAIjC,CAAC;QAEF,sCAAsC;QACtC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE;YAClD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,MAAM,CAAC,YAAY,EAAE,EAAE;SAC5D,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,EAQjC,CAAC;QAEF,MAAM,UAAU,GAAG,QAAQ,CAAC,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,CAAC;QAC1D,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC;QAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC;QACpD,MAAM,oBAAoB,GAAG,MAAM,CAAC,UAAU;YAC5C,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI;YACvC,CAAC,CAAC,SAAS,CAAC;QAEd,+EAA+E;QAC/E,MAAM,eAAe,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE;YACzE,UAAU;YACV,SAAS;SACV,CAAC,CAAC;QAEH,IAAI,MAA0B,CAAC;QAE/B,IAAI,eAAe,EAAE,CAAC;YACpB,oCAAoC;YACpC,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE;gBACvD,SAAS,EAAE,eAAe,CAAC,GAAG;gBAC9B,WAAW,EAAE,MAAM,CAAC,YAAY;gBAChC,YAAY,EAAE,MAAM,CAAC,aAAa;gBAClC,oBAAoB;aACrB,CAAC,CAAC;YACH,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,uBAAuB;YACvB,MAAM,YAAY,GAAG,KAAK;gBACxB,CAAC,CAAC,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,CAAC;gBAC/D,CAAC,CAAC,IAAI,CAAC;YAET,IAAI,CAAC,YAAY,IAAI,KAAK,EAAE,CAAC;gBAC3B,kBAAkB;gBAClB,MAAM,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;oBACzD,KAAK;oBACL,aAAa,EAAE,IAAI,EAAE,+BAA+B;oBACpD,IAAI;oBACJ,KAAK;iBACN,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,YAAY,EAAE,CAAC;gBACxB,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC;gBAC1B,iCAAiC;gBACjC,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;oBAChD,MAAM,EAAE,YAAY,CAAC,GAAG;oBACxB,aAAa,EAAE,IAAI;oBACnB,IAAI,EAAE,IAAI,IAAI,YAAY,CAAC,IAAI;oBAC/B,KAAK,EAAE,KAAK,IAAI,YAAY,CAAC,KAAK;iBACnC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;YACpE,CAAC;YAED,uBAAuB;YACvB,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE;gBACvD,MAAM;gBACN,UAAU;gBACV,SAAS;gBACT,WAAW,EAAE,MAAM,CAAC,YAAY;gBAChC,YAAY,EAAE,MAAM,CAAC,aAAa;gBAClC,oBAAoB;aACrB,CAAC,CAAC;QACL,CAAC;QAED,yBAAyB;QACzB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACzE,IAAI,IAAI,EAAE,MAAM,EAAE,CAAC;YACjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,IAAI,CAAC,UAAU,GAAG,GAAG,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CACb,iBAAiB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAC/D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE;YACxE,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;QAEH,OAAO;YACL,YAAY;YACZ,MAAM;YACN,WAAW,EAAE,WAAW,CAAC,WAAW;SACrC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}